#DESC LOCATE - Security Enhanced version of the GNU Locate # # Author: Dan Walsh # ################################# # # Rules for the locate_t domain. # # locate_exec_t is the type of the locate executable. # daemon_base_domain(locate) role system_r types locate_t; role sysadm_r types locate_t; allow locate_t fs_t:filesystem getattr; ifdef(`crond.te', ` system_crond_entry(locate_exec_t, locate_t) allow system_crond_t locate_log_t:dir rw_dir_perms; allow system_crond_t locate_log_t:file { create append getattr }; allow system_crond_t locate_etc_t:file { getattr read }; ') allow locate_t { userpty_type admin_tty_type }:chr_file rw_file_perms; allow locate_t { fs_type file_type }:dir r_dir_perms; dontaudit locate_t sysctl_t:dir getattr; allow locate_t file_type:lnk_file r_file_perms; allow locate_t { file_type -shadow_t }:{ lnk_file sock_file fifo_file file } getattr; dontaudit locate_t { file_type -shadow_t }:{ lnk_file sock_file fifo_file file } read; dontaudit locate_t security_t:dir getattr; dontaudit locate_t shadow_t:file getattr; allow locate_t { ttyfile device_type device_t }:{ chr_file blk_file } getattr; allow locate_t unlabeled_t:dir_file_class_set getattr; allow locate_t unlabeled_t:dir read; logdir_domain(locate) etcdir_domain(locate) type locate_var_lib_t, file_type, sysadmfile; typealias locate_var_lib_t alias var_lib_locate_t; create_dir_file(locate_t, locate_var_lib_t) dontaudit locate_t sysadmfile:file getattr; allow locate_t proc_t:file { getattr read }; allow locate_t self:unix_stream_socket create_socket_perms; # # Need to be able to exec renice # can_exec(locate_t, bin_t) dontaudit locate_t rpc_pipefs_t:dir r_dir_perms; dontaudit locate_t rpc_pipefs_t:file getattr; # # Read Mtab file # allow locate_t etc_runtime_t:file { getattr read }; # # Read nsswitch file # allow locate_t etc_t:file { getattr read }; dontaudit locate_t self:capability dac_override; allow locate_t self:capability dac_read_search; # sysadm_t runs locate in his own domain. # We use a type alias to simplify the rest of the policy, # which often refers to $1_locate_t for the user domains. typealias sysadm_t alias sysadm_locate_t; allow locate_t userdomain:fd use; ifdef(`cardmgr.te', ` allow locate_t cardmgr_var_run_t:chr_file getattr; ')